Using Fortanix Data Security Manager with Keyfactor IIS Orchestrator

1.0 Introduction

This article describes the configuration steps required on Fortanix-Data-Security-Manager (DSM) and Keyfactor to store the RSA key pairs for Internet Information Services (IIS) web server certificates.

2.0 Architecture Workflow

The Keyfactor IIS orchestrator can remotely manage the certificates and their bindings that are bound to Internet Information Server (IIS) websites. An RSA key for the certificate can be generated and stored on Fortanix Data Security Manager throughout the certificate enrollment procedure from the Keyfactor command centre.

The Universal Orchestrator is part of the Keyfactor software distribution and is available using the Keyfactor customer portal.

2.1 Keyfactor IIS Orchestrator Workflow

1. A user creates the certificate enrollment request in the Keyfactor Command Portal.

2. The Keyfactor Orchestrator frequently checks for new jobs, and if a new enrollment request is found, the Keyfactor Orchestrator sends a Certificate Signing Request (CSR) generation request to the target machine

3. The target machine, which already has the Fortanix CNG client installed and configured using this machine, generates the CSR request

4. The CSR request is then submitted back to the Keyfactor Orchestrator and then to the Command Portal to sign in.

5. The Keyfactor Command Portal must be pre-configured with the desired Certificate Authority (CA) to submit the signing request.

6. The Keyfactor Command Portal then sends the signed certificate back to the Keyfactor Orchestrator.

7. The Keyfactor Orchestrator adds that certificate to the machine trust store and binds it to the IIS Webserver.

3.0 Prerequisites

1. Fortanix CNG Client (Download)

2. Fortanix API key to configure CNG client.

3. Windows IIS server admin access to install the CNG client.

4. Keyfactor Portal access to configure Orchestrator and for the certificate enrollment process.

5. Keyfactor Universal IIS Orchestrator version 10.1.1 or later.

4.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

4.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

4.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

4.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. Click the Groups menu item in the DSM left navigation panel and click the + button on the Groups page to add a new group.

   

2. On the Adding new group page, enter the following details:

   • Title: Enter a title for your group. For example, Keyfactor IIS Orchestrator.

   • Description (optional): Enter a short description for the group.

3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

4.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation panel and click the + button on the Apps page to add a new app.

   

2. On the Adding new app page, enter the following details:

   • App name: Enter the name of your application.

   • ADD DESCRIPTION (optional): Enter a short description for the application.

   • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

   • Assigning the new app to groups: Select the group created in Section 4.3: Creating a Group from the list.

3. Click the SAVE button to add the new application. 

The new application has been added to the Fortanix DSM successfully.

4.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation panel and click the app created in Section 4.4: Creating an Application to go to the detailed view of the app.

2. On the INFO tab, click the VIEW API KEY DETAILS button.

3. From the API Key Details dialog box, copy the API Key of the app to be used later.

5.0 Configure Key Factor IIS Orchestrator

This section describes the steps required to configure the Keyfactor IIS Orchestrator. For a more detailed explanation, see https://github.com/Keyfactor/iis-orchestrator.

1. Register the IIS universal Orchestrator with Keyfactor
   See the Keyfactor documentation, InstallingKeyfactorOrchestrators.pdf. Contact your Keyfactor representative for more details. Also make sure the IISU extension is enabled or configured on the Keyfactor Orchestrator.

   

2. Create the new certificate store type for the IIS Orchestrator: On the Keyfactor homepage, go to Settings (cog wheel icon) → Certificate Store Types → ADD

   

   • Certificate Store Type settings: Basic

     

   • Certificate Store Type settings: Advanced

     

   • Certificate Store Type settings: Custom Fields  

     

   • Certificate Store Type settings: Entry Parameters

     

     NOTE

     For the certificate that a reenrollment job is enrolling, the Provider Name field is required to generate and store the private key in the Fortanix DSM.

3. Create an IIS binding certificate store within the Keyfactor command center: On the Keyfactor home page, click Locations → Certificate Stores from the drop down menu.  

   

   

6.0 Certificate Enrollment

1. In the Management Portal, browse to Locations → Certificate Stores.

2. On the Certificate Stores page, select the Certificate Stores tab (the default when you first visit the page)

3. On the Certificate Stores tab, highlight the certificate to reenroll in the Certificate Stores table and click the REENROLLEMENT button at the top of the table or right-click the store location in the table and select Reenrollment from the right-click menu.

4. On the Reenrollment dialog, enter the following:

   • Subject Name for the new certificate using X.500 format

   • Port where to bind the site

   • IP Address

   • SNI Flag

   • Protocol

   • Provider Name as Fortanix KMS CNG Provider

   • Site Name

   • SAN (optional)

   • HostName

   • Certificate Authority

   • Select a Template

   NOTE

   If you do not select a template or CA for reenrollment, the values configured for the "Template for Submitted CSRs" and/or "Certificate Authority for Submitted CSRs" application setting(s) (see Application Settings in Keyfactor) will be used.

5. Click Done to submit the request.

   

   The reenrollment job will be scheduled to run immediately. Visit the Orchestrator Jobs page to check the progress of the job.

   

6.1 Binding

Check the binding status on IIS Site Binding settings.

6.2 Certificate

Check the certificate on the IIS server to confirm the cryptographic provider.